Community discussions

MikroTik App
 
JJT211
just joined
Topic Author
Posts: 6
Joined: Sun Apr 28, 2019 9:01 pm

help.mikrotik.com's advanced firewall

Tue Nov 17, 2020 5:17 pm

I run a WISP and started out with Mikrotik about a year ago. Im light years of where I was then and my current firewall is crap. My primary motivation though is that im pushing to move our sites to dual stack IPv6.

There's loads of different firewall examples, but the one I do like the most and seems to work well at home (with some caveats, there's of course a few typos) is the official firewall example at Building your First Firewall (advanced).

Im reading line by line to make sure I FULLY understand everything thats going on before I deploy to production and I have a few questions. And maybe we might motivate whomever maintains the help.mikrotik.com page to make some corrections as well. Its of course entirely possible its just me ;)

I like that the example uses the RAW table and it keeps the main Filter rules neat and lean. I understand that there's no true DDOS protection, but I'd still like to implement some basic mitigation and be lenient enough to prevent any false positives. Our first order of business in the ISP world is passing packets of course.

My questions are primarily regarding the RAW section in the optional ICMP chains. Lets start with the IPv4 section.

In the RAW section, there's a disclaimer:

And another chain for ICMP. Note that if you want a very strict firewall then such strict ICMP filtering can be used, but in most cases, it is not necessary and simply adds more load on the router's CPU. ICMP rate limit in most cases is also unnecessary since the Linux kernel is already limiting ICMP packets to 100pps.

And here's the associated IPv4 rules with rate limits in question:

add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp


The 5pps rate limits are major problem in my testing and seem wayyy to restrictive. Ive noticed I have ping drops and it appears to affect DNS as well. I first thought about raising the rate limit a bit to 25pps or even 98pps. Is there any advantage to doing that, or should I just drop the rate limit together? If I drop it, is the Linux Kernel rate limit at 100pps enough?


And then in the DDoS Protection section, there appears to be some typos.

/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers

Looks like its missing a jump rule as is evident in the explanation right below it. Im not 100% sure, but the first rule is "return", return from what??

My question here also is where would be the best placement of these DDoS rules in the entire firewall rule set? And also where would the best placement for the SYN-ACK Flood? Right after first set of jump and return rules above??

Like this?? (I omitted the fasttrack rule because im using queues)

/ip firewall filter
  add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  [b]add chain=forward connection-state=new action=jump jump-target=detect-ddos
  add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
  add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
  add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
  add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos[/b]
  add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  add action=drop chain=forward src-address-list=no_forward_ipv4 comment="defconf: drop bad forward IPs"
  add action=drop chain=forward dst-address-list=no_forward_ipv4 comment="defconf: drop bad forward IPs"

And then in the IPv6 section, im having issues with the ICMP chain in the RAW rules. IPv6 doesnt work at all unless I disable the bolded "in-interface-list=LAN" part of these rules like so. I also omitted the limit portion for on IPv6 as from what I understand is that DDoS is rare on IPv6 due to the sheer size of the address space. Am I missing something? Is this a big deal or am I nitpicking?

/ipv6 firewall raw
add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 [b]in-interface-list=LAN[/b]  protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 [b]in-interface-list=LAN[/b] protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 [b]in-interface-list=LAN[/b] protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 [b]in-interface-list=LAN[/b] protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 [b]in-interface-list=LAN[/b]  protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 [b]in-interface-list=LAN[/b]  protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6

Who is online

Users browsing this forum: Bing [Bot], dankoj, Google [Bot], ivicask and 148 guests